Broken Access Control: The basics

What is Access Control

Types of Access Control

Access Control Pyramid example
  • Vertical Access Controls have restrictions that deny access to functions and resources not available to your type of user, for example in the image the User A cannot have access to admin privileges.
  • Horizontal Access Control have restrictions that deny access to functions and resources not available to your user specifically, for example in the image the User A cannot have access to the User B password.
  • Context-Dependent Access have restrictions bases on the state of the application that you are interacting, for example the User C cannot modify the items in theirs shopping cart if they already bought them.

Access control security models

  • Discretionary access control (DAC) has restrictions based on users and groups of users. In this model, the protected data has an owner, and the owner determine access permissions to users to the data.
  • Mandatory access control (MAC) is a lot more restricted, it has restrictions that, unlike DAC, owners can’t modify access rights to the protected data.
  • Role-based access control (RBAC) has named roles with access privilege assigned to them, and users are assigned to one or more roles. RBAC can provide manageable access control in complex applications, and is most effective when there are sufficient roles.

--

--

I'm a web developer who posts about the things I learn.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store